In 2015 INSCT began a collaboration with the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE), based in Tallinn, Estonia. The authors of the “Tallinn Manual on International Law Applicable to Cyber Warfare,” experts at CCDCOE are at the forefront of understanding the challenges of applying existing international laws and norms to the constantly evolving cyber realm. As the Tallinn Manual project continues, INSCT staff, faculty, and associates have been invited to add their insights into how to reform international law and domestic law in the digital age.

Tallinn Manual 2.0

Tallinn Manual 2.0 expands on the highly influential first edition by extending its coverage of the international law governing cyber operations to peacetime legal regimes. The product of a three-year follow-on project by a new group of 20 renowned international law experts, it addresses such topics as sovereignty, state responsibility, human rights, and the law of air, space, and the sea.

Tallinn Manual 2.0 identifies 154 ‘black letter’ rules governing cyber operations and provides extensive commentary on each rule. Although Tallinn Manual 2.0 represents the views of the experts in their personal capacity, the project benefitted from the unofficial input of many states and over 50 peer reviewers.

“Black letter” rules state the international law applicable to cyber warfare

The Commentary discusses the rules and lays out their legal basis and logic

Project 1: Controlling Economic Cyber Espionage

Contemporary cyber spies—often under the control of nation states—are just as likely to be plundering the intellectual property and customer information of international businesses as waging covert cyberwar against military enemies. Yet legal, policy, and technological means for countering cyber espionage are not always clear.

“Who is doing the spying and by what methods? What is the current thinking of government and industry about the problem? And what methods of protection—such as identity assurance—currently exist?”

In order to examine the state of domestic and international approaches for controlling—and to offer recommendations for policymakers and practitioners who are addressing—this postmodern form of economic, military, and industrial spying, INSCT joined with the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) to host “Controlling Economic Cyber Espionage,” an interdisciplinary workshop held at SU College of Law on June 18 and 19, 2015.

The workshop convened cyber experts from around the globe, including:

Michael Schmitt, Director of the Stockton Center for the Study of International Law at the US Naval War College

Panels asked who is doing the spying and by what methods, what is the current thinking of government and industry about the problem, and what methods of protection—such as identity assurance—currently exist? The workshop also analyzed the domestic and international law and policy landscape to ascertain what reforms and actions are necessary as cyber espionage—and cyber war in general—evolves. Answers were drawn from the disciplines of foreign and domestic law, public policy, international affairs, defense strategy, law enforcement, computer engineering, and finance.

Products

“The confluence of interests between victims of overbroad surveillance and cyber espionage presents an opportunity to begin developing new norms and eventual international law that could bring more rationality, predictability, and privacy protections to the cyber domain. The costs of cyber espionage are real, and the threats and vulnerabilities will increase with the progression of technology. Companies and governments are underprepared for the level of cyber espionage they are facing. Solutions vary, but they all share the common foundation of increased international cooperation and the development of a customary international legal framework that everyone understands.”

Territoriality looms large in our jurisprudence, particularly as it relates to the government’s authority to search and seize. Fourth Amendment rights turn on whether the search or seizure takes place territorially or extraterritorially; the government’s surveillance authorities depend on whether the target is located within the US or without; and courts’ warrant jurisdiction extends, with limited exceptions, only to the border’s edge. Yet the rise of electronic data challenges territoriality at its core. Territoriality, after all, depends on the ability to define the relevant “here” and “there,” and it presumes that the “here” and “there” have normative significance. The ease and speed with which data travels across borders, the seemingly arbitrary paths it takes, and the physical disconnect between where data is stored and where it is accessed, critically test these foundational premises. Why should either privacy rights or government access to sought-after evidence depend on where a document is stored at any given moment? Conversely, why should State A be permitted to unilaterally access data located in State B, simply because technology allows it to do so, without regard to State B’s rules governing law enforcement access to data held within its borders? This article tackles these challenges. It explores the unique features of data, and highlights the ways in which data undermines long-standing assumptions about the link between data location and the rights and obligations that ought to apply. Specifically, it argues that a territorial-based Fourth Amendment fails to adequately protect “the people” it is intended to cover. On the other hand, the article warns against the kind of unilateral, extraterritorial law enforcement that electronic data encourages, in which nations compel the production of data located anywhere around the globe, without regard to the sovereign interests of other nation-states.

Brown presents the nuances of cyber espionage versus cyber attacks that are becoming more pervasive in the national security context. He defines the differences between the two, and proposes a method of analyzing cyber operations to properly categorize them. Then, using an extended hypothetical and several real-life examples, Brown illustrates how dangerous cyber operations can be, and the need to properly define them so as to respond most effectively.

In “Deterring Financially Motivated Cybercrime,” Zachary K. Goldman and Damon McCoy present three strategies for deterring attacks that use malicious cyber capabilities to generate a profit. Each strategy—the imposition of financial sanctions, public/private partnerships to disrupt tools of cybercrime, and activities to disrupt payment networks run by criminals who sell fraudulent goods over the Internet—is analyzed for strengths and weaknesses. The authors conclude with a discussion of the ways in which regulatory tools to combat cybercrime can overcome problems with formulating a cohesive deterrent strategy such as secrecy and attribution.

Clare Sullivan posits that the 2014 hack of Sony Pictures Entertainment (“Sony Hack”) heralds the arrival of a new form of modern warfare. She argues that the current state of international law is inadequate to deal with hacks like this one, which do not cause physical damage but which nonetheless result in serious economic harm and violations of privacy. In the author’s view, a new approach is needed to ensure that countries are permitted under international law to respond to and take countermeasures against such hacks.

Related Scholarship

By William C. Banks (In Research Handbook on the Politics of International Law. Eds. W. Sandholtz & C. Whytock. Edward Elgar, 2017.)

“In this chapter, the focus is on legal change. When the normative framework governing kinetic warfare does not fit cyber conflict, how do adaptations occur that permit regulation of or responses to harmful cyber intrusions? In other words, the most important stage of governance in managing cyber conflict has arrived long after the norms and institutions are in place. In setting up legal change in the cyber domain, I will review the ad bellum justifications for conducting cyber war within the Charter and LOAC systems …”

Trey Herr and Paul Rosenzweig take up the complex task of characterizing software products in the context of the current export regulatory regime. Herr and Rosenzweig use their PrEP model to distinguish the components of the software functionally. They isolate the payload component as requiring special consideration, and propose a policy approach to regulating software exports based on their effects.

States are not likely to consent to new international rules that restrict the use of cyber weapons. For better or worse the conditions necessary to promote the emergence and development of legalist constraints are not present in sufficient degree to support further international rules governing cyber conflict – any more than those conditions have been present in the past to support the emergence of rules governing clandestine or covert intelligence operations of which cyber activity normally is a part.

“This brief essay will focus on two more interesting questions: First, whether or not there is a class of issues and challenges in policy making that is unique to the cyber domain; and second, whether there are issues that, if not unique, are more predominant or readily apparent in the context of cyber policy making than in other areas of governmental endeavor …”

Photo Gallery

Related Events

Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations

Feb. 7, 2017 | Strauss Center for International Security and Law, University of Texas-Austin

On Feb. 7, 2017, the Texas Law Review hosted the symposium “Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations,” co-sponsored by the Robert Strauss Center for International Security and Law and the Lieber Institute for Law & Land Warfare at the United States Military Academy.

This day-long event featured panels addressing sovereignty in cyberspace, jurisdiction over cyber activities, international human rights law in cyberspace, among other timely topics.

Cyber at NATO: The Operational Domain Challenge

A guest of professors William Snyder and Lee McKnight and their Cybersecurity Law and Policy/Information Security Policy class, INSCT alumnus Siim Alatalu (MAIR ’06) spoke about NATO, cyber attacks and cyberwar, and international policy and cooperation at SU College of Law on Oct. 24, 2016. Alatalu is an international relations advisor at INSCT partner the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE).

The Frontiers of Cybersecurity Policy and Law

Feb. 4-6, 2016 | Strauss Center for International Security and Law, University of Texas-Austin

In February 2016, the Strauss Center at the University of Texas-Austin hosted a conference on the legal and policy dimensions of cybersecurity. Sponsors were the Christian Science Monitor, the American Journal of Criminal Law, and with the ABA Standing Committee on Law and National Security.

Topics included the aftermath of the “going dark” debate; the evolving regulatory environment for the security/research sector; export controls; “active defense” of networks (including “hackbacks” and “botnet takedowns”).

ABA SCOLANS also sponsored a training workshop on cybersecurity law and policy, with sessions addressing federal criminal law, investigative and intelligence law, regulatory law, and international law.

SPECIAL SESSION: “Big Data, Privacy, and Security: Comparing US and German Perspectives”

Recording of transatlantic dialogue with counterparts in Berlin for an episode of the America Abroad Media radio documentary series.

SESSION 3: “Hacking Back and Other Active Defense Measures”

Richard Downing, US Department of Justice

Christian Beckner, George Washington University

Andrew Woods, University of Kentucky

Paul Ohm, Georgetown University

Moderator: Eric Greenwald, Strauss Center

SESSION 4: “Botnet Takedowns: Technical, Legal, and Policy Issues”

Sean Farrell, FBI

Kristen Eichensehr, UCLA

Richard Boscovich, Microsoft

Greg Nojeim, CDT

Moderator: Bobby Chesney, Strauss Center

Saturday, Feb. 6, 2016

ABA SCOLANS Teacher-Training Workshop

SESSIONS 1 AND 2: “Cyber, Surveillance Law and Criminal Law”

Bill Banks, INSCT

Jen Daskal, American University

Paul Ohm, Georgetown University

Richard Downing, US Department of Justice

Sean Farrell, FBI

Moderator: Bobby Chesney, Strauss Center

SESSION 3: “Cyber in the Business and Regulatory Contexts”

Andrew Woods, University of Kentucky

Matt Perault, Facebook

Kristen Eichensehr, UCLA

Moderator: Harvey Rishikof, ABA SCOLANS

KEYNOTE SPEAKERS: Daniel Placek, Darkode, and Dina Temple-Raston, NPR

SESSIONS 4 AND 5: “Cyber, International Law, and the Laws of War”

Eric Jensen, Brigham Young University

Derek Jinks, University of Texas

Sean Watts, Creighton University school of Law

Elaine Korzak, Stanford University

Dakota Rudesill, University of Ohio

Project 2: Human Rights in Cyberspace

The continuing, rapid development of online technologies, while offering unprecedented opportunities for individuals and groups to exercise the freedom of expression, can easily lead to human rights infringements.

“Law is playing catch-up with technology and nations are running the risk of undermining human rights instead of strengthening them.”

In October 2015, lawyers and legal scholars from governments, academia, and NGOs gathered in Tallinn, Estonia, to discuss the future of human rights in cyberspace, in a workshop hosted by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and co-sponsored by the Institute for National Security and Counterterrorism at SU (INSCT). Specifically, esteemed delegates at “Human Rights in Cyberspace” focused on how to apply the long-established principles of international human rights law to rapid technological developments and on the balance between free expression and law enforcement in a realm that is increasingly borderless, expansive, and chaotic.

In introducing the workshop, Lorena Trinberg, a legal researcher at CCDCOE, emphasized that governmental cyber measures need to be in line with human rights norms and that “law is playing catch-up with technology and nations are running the risk of undermining human rights instead of strengthening them.”

“The Internet provides new means for enabling governmental privacy intrusions and causing national security and economic harm. At the same time it gives states tools to keep tabs on different actors,” explained Professor William C. Banks, Dean of SU Law and INSCT Founding Director. “International law should and will have an important role to play in bringing some order, predictability, and stability to these aspects of the cyber domain.”

“The Internet presents unprecedented challenges to human rights through cyberattacks and surveillance. It also functions as a platform for crime and incitement of violence through hate speech and recruitment to terrorism,” said visiting Professor Gabor Rona of the Benjamin N. Cardozo School of Law and the former International Legal Director of Human Rights First. “States are drawn between obligations to ensure privacy and free expression online while having to police the Internet for human rights violations, such as incitement to hate crimes, fraud, child pornography, and threats to national security.”

Products & Relevant Scholarship

Part A of this report provides a brief overview on the workshop’s main topics. The workshop begun with evolutionary aspects of the cyber realm and human rights, and continued with debates on specific problems, such as the extraterritorial application of human rights treaties and an intriguing debate on future developments in cyber law. Part B offers the event agenda, while Part C features presentation abstracts and biographies of the speakers and other project principals.

In this article, Gabor Rona and Lauren Aarons explore how international human rights law applies to cyberspace. They address the substantive obligations of the state responsibility to respect, ensure, and promote human rights in cyberspace, including protecting against third party abuse and providing remedies for violations. Finally, the authors outline the limitations of and permissible restrictions on human rights obligations in cyberspace.

Jennifer Daskal describes the challenges facing law enforcement access to data across borders and examines the legal and political issues at stake in formulating clear standards for cross-border access to data.

The guide was developed by SU students and alumni across the iSchool, Maxwell School, and College of Law, on behalf of the IRPC and the UN Internet Governance Forum, with a lead role taken by INSCT alumnus Kevin Risser (MPA ’16; CAS in Security Studies) and by INSCT Affiliated Faculty Member Lee McKnight.